registry  /  @bernierllc/sender-identity-verification  /  3.0.1

@bernierllc/sender-identity-verification@3.0.1

Individual sender email address verification service for email production compliance

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious execution path was found. Runtime networking is explicit sender-verification functionality using caller-provided configuration; however, the published test environment file exposes credential material.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer explicitly creates/verifies a sender or reads the packaged test file.
Impact
Potential unauthorized use of exposed third-party credentials; no package-driven credential exfiltration or host mutation was found.
Mechanism
Configured SendGrid API request; bundled credential exposure.
Rationale
The source implements a sender-verification library and its network call is package-aligned and user-invoked. Bundling nonempty credentials is a concrete security risk that warrants a warning, but it is not evidence of malicious package behavior.
Evidence
package.jsondist/index.jssrc/config.tssrc/SenderIdentityVerification.tssrc/providers/SendGridProvider.ts.env.test
Network endpoints1
api.sendgrid.com/v3

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `.env.test` ships nonempty Name.com and SendGrid credential variables.
  • `src/config.ts` reads provider credentials only when callers invoke configuration loading.
  • `src/providers/SendGridProvider.ts` sends the configured key only to SendGrid's API.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
  • `dist/index.js` only loads local library modules; no import-time network or filesystem action.
  • Source and compiled code contain no child-process, eval, filesystem-write, or persistence primitives.
  • Dynamic imports in `src/SenderIdentityVerification.ts` are fixed local provider modules selected during verification.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 25 file(s), 121 KB of source, external domains: api.sendgrid.com, app.smtp2go.com, mandrillapp.com

Source & flagged code

3 flagged · loading source
.env.testView file
6patternName = sendgrid_api_key severity = critical line = 6 matchedText = SENDGRID...nIpo
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.testView on unpkg · L6
6patternName = sendgrid_api_key severity = critical line = 6 matchedText = SENDGRID...nIpo
Critical
Secret Pattern

SendGrid API key in .env.test

.env.testView on unpkg · L6
__tests__/providers.test.tsView file
298patternName = aws_access_key severity = critical line = 298 matchedText = const pr...1');
Critical
Secret Pattern

AWS access key ID in __tests__/providers.test.ts

__tests__/providers.test.tsView on unpkg · L298

Findings

3 Critical2 Medium4 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
CriticalSecret Pattern__tests__/providers.test.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License